Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

The J-Web Setup Wizard

Configure SRX Series Firewalls Using the J-Web Setup Wizard

Using the Setup wizard, you can perform step-by-step configuration of a services gateway that can securely pass traffic.

For information on how to start and access the J-Web user interface, see Access the J-Web User Interface.

You can choose one of the following setup modes to configure the services gateway:

  • Standalone mode—Configure your SRX Series Firewall to operate in a standalone mode. In this mode, you can configure basic settings such as device credentials, time, management interface, zones and interfaces, and DNS servers and default gateways.

  • Cluster (HA) mode—Configure your SRX Series Firewall to operate in a cluster (HA) mode. In the cluster mode, a pair of devices are connected together and configured to operate like a single node, providing device, interface, and service level redundancy.

    Note:

    You cannot configure Standalone or Passive mode when your device is in the HA mode.

  • Passive (Tap) mode—Configure your SRX Series Firewall to operate in a TAP mode. TAP mode allows you to passively monitor traffic flows across a network. If IPS is enabled, then the TAP mode inspects the incoming and outgoing traffic to detect the number of threats.

    Note:
    • SRX5000 line of devices, SRX4600, and vSRX Virtual Firewall devices do not support the passive mode configuration.

    • Starting in Junos OS Release 23.4R1, J-Web supports SRX1600 and SRX2300 Firewalls.

To help guide you through the process, the wizard:

  • Determines which configuration tasks to present to you based on your selections.

  • Flags any missing required configuration when you attempt to leave a page.

To configure SRX Series Firewalls using the J-Web Setup wizard:

  1. Select the configuration mode that you want to setup and click Start.

    The Setup Wizard page appears.

  2. For standalone and passive (Tap) modes, complete the configuration according to the guidelines provided in Table 2.

    If you select Cluster (HA) Mode, for the configuration information see Configure Cluster (HA) Setup.

    Note:

    The root password is mandatory in the setup wizard. All other options are optional. In the passive mode, configuration of the management interface, Tap interface, and services are mandatory.

  3. Review the configuration details. If you want to change the configuration, click Edit Configuration, else click Finish.

    Wait till the configuration is committed. A successful message is displayed once the entire configuration is committed to the device.

    Note:
    • If the commit fails, J-Web displays you the error message received from CLI and you remain on the wizard’s last page. Check over your configuration and make changes as necessary so that the commit succeeds.

    • For SRX300 line of devices and SRX550M devices in passive mode, an additional message is displayed about the device reboot if you have enabled Juniper ATP Cloud or Security Intelligence services. For other SRX Series Firewalls, the device will not reboot.

  4. Read if any instructions are available and then click Open J-Web Login Page.

    The J-Web Login page appears.

  5. Enter the root username and password and click Log In.

    Launch Pad screen appears until the J-Web UI is loaded. See J-Web: A First Look.

Example: J-Web Wizard for Standalone Mode

In this section, we'll show you a typical J-Web setup wizard workflow for standalone mode operation. The J-Web interface is updated and modified over time. The below example is representative of the typical workflow. This specific example is based on the Junos 21.3R1 release.

Table 1 provide details on the configuration parameters used for initial setup.

Table 1: Standalone Setup Wizard Parameters
Configuration Parameter Example Value
Root Password "Sample_psswd_for_doc-only!"
Hostname SRX-300
Management interface ge-0/0/1
Management IP and CIDR 10.102.70.79/24
Access Protocols HTTPS, SSH, Ping
Static route for management 10.0.0.0/8, next hop 10.102.70.254
NTP and DNS
  • NTP: north-america.pool.ntp.org

  • DNS: 8.8.8.8 and 8.8.4.4

  • Time zone: PST/Los Angeles

Remote access SSH with root login allowed
Non root user (Admin/super user account) user "lab", password "Sample_psswd_for_doc-only!"
Security Policy Default

Refer to Access the J-Web User Interface for information on how to access the J-Web interface. This example is based on an SRX300. Based on the information in Table 1, the management device is set for DHCP is and is attached to the ge-0/0/1 interface. When running a factory default configuration, the ge-0/0/1 interface is configured as a DHCP server and assigns an address to the PC from the 192.168.1.0/24 subnet. To access J-Web in this scenario, you point the browser to https://192.168.1.1.

  1. We begin at the J-Web setup wizard screen. You click on the option for Standalone Mode and then on the Start button.

    Figure 1: J-Web Setup Wizard Modes J-Web Setup Wizard Modes
  2. Configure the device name, root user, and non-root (administrator) user login information on the Device Credentials page.

    Note:

    Enable SSH for root user.

    Figure 2: J-Web Setup Wizard Device Credentials J-Web Setup Wizard Device Credentials
  3. Click Next.

    The Time page opens.

  4. Configure the timezone, time source, and in the case of NTP, the desired server(s).

    Figure 3: J-Web Setup Wizard Time Servers J-Web Setup Wizard Time Servers
  5. Click Next.

    The Management Interface page opens.

  6. Again, this setup example is based on a SRX 300 series device. This SRX Series Firewall does not have a dedicated management interface. In many cases, their role in branch offices results in their being managed remotely through the WAN interface (ge-0/0/0). On larger SRX Series Firewalls, a dedicated management interface (fxp0) is provided for attachment to an out-of-band (OOB) management network. In this example, you configure the ge-0/0/1 interface as a dedicated OOB management interface.

    Figure 4: J-Web Setup Wizard Management Interface J-Web Setup Wizard Management Interface

    Before continuing, you click on the Access Protocols tab to confirm that HTTPS, SSH, and Ping (ICMP echo) are permitted on the management interface.

    Figure 5: J-Web Setup Wizard Access Protocols J-Web Setup Wizard Access Protocols
  7. Click Next.

    The Zones & Interfaces page opens.

  8. In this example you maintain the factory default security policy. Recall, you can always use J-Web to later modify all aspects of the configuration, to include security, after you complete the initial setup.

    Figure 6: J-Web Setup Wizard Security Zones J-Web Setup Wizard Security Zones
  9. Click Next.

    The DNS Servers & Default Gateways page opens.

  10. Configure a public DNS server IP and leave the default gateway fields blank. If desired, you can add default routes to access other networks that should be reachable over the management interface.

    Figure 7: J-Web Setup Wizard DNS and Default Gateways J-Web Setup Wizard DNS and Default Gateways
  11. Click Next.

    The Setup Wizard opens. This page summarizes your configuration. If desired, you use the Edit Configuration option to make changes.

    Figure 8: J-Web Setup Wizard Summary J-Web Setup Wizard Summary
  12. When satisfied with the configuration, click on Finish. The Setup Wizard displays a status page to indicate the initial configuration is being pushed to the SRX Series Firewalls.

    Figure 9: J-Web Setup Wizard Configuration Push J-Web Setup Wizard Configuration Push

    In a few moments, the Setup Successful page is displayed. Congratulations! Your SRX Series Firewall is remotely accessible and is ready for ongoing management using the J-Web interface.

    Figure 10: J-Web Setup Wizard Successful J-Web Setup Wizard Successful
    Note:

    Recall that in this SRX-300 based example the management device is directly connected to the SRX on the ge-0/0/1 port. You performed initial configuration using a 192.168.1.0/24 address that was assigned by the SRX Series Firewall using DHCP.

    Using the setup wizard, you configured the ge-0/0/1 interface as a dedicated management interface and assigned a static IP address of 10.102.70.89/24. As a result, the ge-0/0/1 interface no longer functions as a DHCP server.

    Once the new configuration is activated, you must ensure the management device is configured with a compatible IP address if it remains directly connected to the ge-0/0/1 interface. You log in back into J-Web using https://10.102.70.89.

Congratulations! You have completed initial setup using J-Web. Keep going by visiting the below links:

J-Web Setup Wizard Parameters

This section serves as a reference for the mode specific parameters that you can configure using the J-Web Setup Wizard. Table 2 provide details of the parameters that can be configured in the standalone and passive (Tap) modes. For details on parameters supported in cluster (HA) mode, see Configure Cluster (HA) Setup.

Table 2: Setup Wizard Configuration

Field

Action

Device Credentials
System Identity

Device name

Enter a hostname.

You can use alphanumeric characters, special characters such as the underscore (_), the hyphen (-), or the period (.); the maximum length is 255 characters.

Root Account

Username

Displays the root user.

Note:

We recommend that you do not use root user account as a best practice to manage your devices.

Password

Enter a password.

You can use alphanumeric characters and special characters; the minimum length is six characters.

SSH for root user

Enable this option to allow the root login (to the device) using SSH.

Admin Account

Username

Enter the admin username to manage the device.

Password

Enter the admin password.

Time Configuration
Time

Time zone

Select a time zone from the list.

Time source

Select either NTP server, computer time, or Manual to configure the system time:

  • NTP Server > NTP servers—Select the NTP server in the Available column and move to the selected column using the right arrow. Once the system is connected to the network, the system time is synced with the NTP server time.

    In addition, to add a new NTP server, click + and enter a hostname or IP address of the NTP server and click OK.

    Note:

    If you want to add more NTP servers, go to Device Administration > Basic Settings > Date & Time Details through the J-Web menu.

  • Computer Time > Computer time—Device automatically synchronizes with your computer time only during the setup.

  • Manual > Date and time—Select the date and time (in MM-DD-YYYY and HH:MM:SS 24-hour format) to configure the system time manually.

Management Interface Configuration
Management Interface
Note:

If you change the management IP address and click Next, a warning message appears on the Management Interface page that you need to use the new management IP address to log in to J-Web because you may lose the connectivity to J-Web.

Management interface

Select an interface from the list.

If fxp0 port is your device’s management port, then the fxp0 port is displayed. You can change it as required or you can select None and proceed to the next page.

Note:
  • You can choose the revenue port as management port if your device does not support the fxp0 port. Revenue ports are all ports except fxp0 and em0.

  • If you are in the Standalone mode, you can choose None for the management interface and click Next to proceed to the next screen.

  • If you are in the Passive (Tap) mode, it is mandatory to configure a management port. J-Web needs a management port for viewing generated report.

IPv4
Note:

Click email to self to get the newly configured IPv4 or IPv6 address to your inbox. This is useful if you lose connectivity when you change the management IP address to another network.

Management address

Enter a valid IPv4 address for the management interface.

Note:

If fxp0 port is your device’s management port, then the fxp0 port’s default IP address is displayed. You can change it if required.

Management subnet mask

Enter a subnet mask for the IPv4 address.

If you have changed the management address, use the new IP address to access J-Web.

Static route

Enter an IPv4 address for the static route to route to the other network devices.

Static route subnet mask

Enter a subnet mask for the static route IPv4 address.

Next hop gateway

Enter a valid IPv4 address for the next hop.

IPv6

Management access

Enter a valid IPv6 address for the management interface.

Management subnet prefix

Enter a subnet prefix length for the IPv6 address.

Static route

Enter an IPv6 address for the static route if required to reach the device through the management interface.

Static route subnet prefix

Enter a subnet prefix length for the static route IPv6 address.

Next hop gateway

Enter a valid IPv6 address for the next hop.

Access Protocols
Note:

This option is available for all the ports except fxp0.

HTTPS

This option is enabled by default.

SSH

This option is enabled by default.

Ping

Enable this option for ping service.

DHCP

Enable this option for DHCP service.

NETCONF

Enable this option for NETCONF service.

Zones & Interfaces
Security Policy
Note:

This option is available only for the Standalone mode. For the Passive (Tap) mode, this option is available under Tap Settings.

From Zone

Name of the source zone. In the standalone mode, permits all traffic from the trust zone.

To Zone

Name of the destination zone. In standalone mode, permits all traffic from the trust zone to the untrust zone.

Source

Name of the source address (not the IP address) of a policy.

Destination

Name of the destination address.

Application

Name of a preconfigured or custom application of the policy match.

Action

Action taken when a match occurs as specified in the policy.

Zones

—Displays the available trust and untrust zones configuration.

Trust Zone Interfaces
Note:

This option is available only for the Standalone mode.

Add Trust Zone Interface

Click + to add trust zone interface. For more information on the fields, see Table 3.

Edit Trust Zone Interface

Select an interface and click the pencil icon at the right corner of the table to modify the configuration.

Delete Trust Zone Interface

Select an interface and click the delete icon at the upper-right corner of the table.

A confirmation window appears. Click Yes to delete the selected interface or click No to discard.

Search Trust Zone Interface

Click the search icon at the right corner of the table to quickly locate a zone or an interface.

Detailed View Trust Zone Interface

Hover over the interface name and click the Detailed View icon to view the zone and interface details.

Trust Zone Interfaces—Zone Level Settings

Zone name

View the trust zone name populated from your device factory default settings.

Note:

For standalone mode, trust and untrust zones are created by default even if these zones are not available in the factory default settings.

Description

Enter the description for trust zone.

System services

Enable this option for the types of traffic that can reach the device on a particular interface.

By default, this option is enabled. You can disable if required.

Protocols

Enable this option to configure the device to perform stateful network traffic filtering on network packets using network traffic protocols (for example, TCP and UDP).

By default, this option is enabled. You can disable if required.

Application tracking

Enable this option to collect byte, packet, and duration statistics for application flows in the specified zone.

Source identity log

Enable this option for the device to log the user identity information based on the source zone configured in the security policy.

Untrust Zone Interfaces

Add Untrust Zone Interface

Click + to add untrust zone interface. For more information on the fields, see Table 4.

Edit Untrust Zone Interface

Select an interface and click the pencil icon at the right corner of the table to modify the configuration.

Delete Untrust Zone Interface

Select an interface and click the delete icon at the upper-right corner of the table.

A confirmation window appears. Click Yes to delete the selected interface or click No to discard.

Search Untrust Zone Interface

Click the search icon at the upper-right corner of the table to quickly locate a zone or an interface.

Detailed View Untrust Zone Interface

Hover over the interface name and click the Detailed View icon to view the zone and interface details.

Untrust Zone Interfaces—Zone Level Settings

Zone name

View the untrust zone name populated from your device factory default settings.

Note:

For standalone mode, trust and untrust zones are created by default even if these zones are not available in the factory default settings.

Description

Enter the description for untrust zone.

Application tracking

Enable this option to collect byte, packet, and duration statistics for application flows in the specified zone.

Source identity log

Enable this option for the device to log the user identity information based on the source zone configured in the security policy.

DNS Servers & Default Gateways
DNS Servers

DNS server 1

Enter the IPv4 or IPv6 address of the primary DNS.

DNS server 2

Enter the IPv4 or IPv6 address of the secondary DNS.

Default Gateway

Default gateway (IPv4)

Enter the IPv4 address of the next possible destination for any network.

Default gateway (IPv6)

Enter the IPv6 address of the next possible destination for any network.

Tap Settings
Note:

This option is available only for the Passive (Tap) mode.

Tap Settings

Tap interface

Select the interface from the list.

IP-IP tunnel inspection

Enable this option for the SRX Series Firewall to inspect pass through traffic over an IP-IP tunnel.

GRE tunnel inspection

Enable this option for the SRX Series Firewall to inspect pass through traffic over a GRE tunnel.

Security Policy & Advanced Services
Note:

Your device must have internet connectivity to use IPS, Web filtering, Juniper ATP Cloud, and Security threat intelligence services.

From Zone

Name of the source zone. In the Tap mode, permits all traffic from the tap zone.

To Zone

Name of the destination zone. In the Tap mode, permits all traffic from the TAP zone to the TAP zone.

Source

Name of the source address (not the IP address) of a policy.

Destination

Name of the destination address.

Application

Name of a preconfigured or custom application of the policy match.

Action

Action taken when a match occurs as specified in the policy.

Content Security

Content Security

Enable this option for configuring Content Security services.

License

Enter Content Security license key and click Install License to add a new license.

Note:
  • Use a blank line to separate multiple license keys.

  • To use Content Security services, your device must have internet connectivity from a revenue interface.

Content Security type

Select an option to configure Content Security features:

  • Web Filtering

  • Antivirus

  • Antispam

Web filtering type

Select an option:

  • Enhanced—Specifies that the Juniper Enhanced Web filtering intercepts the HTTP and the HTTPS requests and sends the HTTP URL or the HTTPS source IP to the Websense ThreatSeeker Cloud (TSC).

  • Local—Specifies the local profile type.

IPS

IPS

Enable this option to install the IPS signatures.

License

Enter the license key and click Install License to add a new license.

Note:

The installation process may take few minutes.

IPS signature

Click Browse to navigate to the IPS signature package folder and select it. Click Install to install the selected IPS signature package.

Note:

You can download the IPS signature offline package at https://support.juniper.net/support/downloads/.

ATP Cloud

ATP Cloud

Enable this option to use Juniper ATP Cloud services.

Note:

After the Juniper ATP Cloud configuration is pushed, only the SRX300 line of devices and SRX550M devices are rebooted. Your device must have internet connectivity to enable Juniper ATP Cloud enrollment process through J-Web.

Security Intelligence

Security intelligence

Enable this option to use Security intelligence services.

Note:

After the Security Intelligence configuration is pushed, only the SRX300 line of devices and SRX550M devices are rebooted. Your device must have internet connectivity to enable Juniper ATP Cloud enrollment process through J-Web.

User Firewall

User Firewall

Enable this option to use user firewall services.

Domain name

Enter a domain name for Active Directory.

Domain controller

Enter domain controller IP address.

Username

Enter a username for administrator privilege.

Password

Enter a password for administrator privilege.

Table 3: Add Trust Zone

Field

Action

General

Type (family)

  • Select Switching. Fields for switching interface are:

    Note:

    This option will be available for only SRX300 Series Firewalls, SRX550M, and SRX1500, and SRX1600 Firewalls. For SRX2300, SRX4100, SRX4200, SRX4600, SRX5000 Series Firewalls, and vSRX Virtual Firewalls, the Type (family) field is not available.

    • IRB interface Unit—Enter the IRB unit.

    • Description—Enter the description for the interface.

  • Select Routing. Fields for routing interface are:

    For SRX5000 Series Firewalls, SRX4100, SRX4200, SRX4600, and vSRX Virtual Firewalls, the Type (family) field is not available.

    • Interface—Select an option from list.

    • Interface unit—Enter the Inet unit.

      Note:

      VLAN tagging is enabled automatically if the interface unit is higher than zero.

    • Description—Enter the description for the interface.

    • VLAN ID—Enter the VLAN ID.

      Note:

      VLAN ID is mandatory if the interface unit is higher than zero.

Interfaces

Select an interface from the Available column and move it to the Selected column.

Note:

This option is available only for the Switching family type.

VLAN
Note:

This option is available only for the Switching family type.

Name

Enter a unique name for the VLAN.

VLAN ID

Enter the VLAN ID.

IPv4

IPv4 address

Enter a valid IPv4 address for the switching or the routing interface.

Subnet mask

Enter a subnet mask for the IPv4 address.

IPv6

IPv6 address

Enter a valid IPv6 address for the switching or the routing interface.

Subnet prefix

Enter a subnet prefix for the IPv6 address.

DHCP Local Server

DHCP local server

Enable this option to configure the switch to function as an extended DHCP local server.

Pool name

Enter the DHCP pool name.

Pool start address

Enter the starting IPv4 address of the DHCP server pool address range. This address must be within the IPv4 network.

Pool end address

Enter the ending IPv4 address of the DHCP server pool address range. This address must be within the IPv4 network.

Note:

This address must be greater than the address specified in Pool start address.

Propagate settings from

Select an option from the list. Propagation of TCP/IP settings (such as, DNS and gateway address) received on the device interface acting as DHCP client.

Services & Protocols

System Services

Select system services from the list in the Available column and then click the right arrow to move it to the Selected column.

The available options are:

  • all—Specify all system services.

  • any-service—Specify services on entire port range.

  • appqoe—Specify the APPQOE active probe service.

  • bootp—Specify the Bootp and dhcp relay agent service.

  • dhcp—Specify the Dynamic Host Configuration Protocol.

  • dhcpv6—Enable Dynamic Host Configuration Protocol for IPV6.

  • dns—Specify the DNS service.

  • finger—Specify the finger service.

  • ftp—Specify the FTP protocol.

  • http—Specify the Web management using HTTP.

  • https—Specify the Web management using HTTP secured by SSL.

  • ident-reset—Specify the send back TCP RST IDENT request for port 113.

  • ike—Specify the Internet key exchange.

  • lsping—Specify the Label Switched Path ping service.

  • netconf—Specify the NETCONF Service.

  • ntp—Specify the network time protocol.

  • ping—Specify the internet control message protocol.

  • r2cp—Enable Radio-Router Control Protocol.

  • reverse-ssh—Specify the reverse SSH Service.

  • reverse-telnet—Specify the reverse telnet Service.

  • rlogin—Specify the Rlogin service

  • rpm—Specify the Real-time performance monitoring.

  • rsh—Specify the Rsh service.

  • snmp—Specify the Simple Network Management Protocol.

  • snmp-trap—Specify the Simple Network Management Protocol trap.

  • ssh—Specify the SSH service.

  • tcp—encap-Specify the TCP encapsulation service.

  • telnet—Specify the Telnet service.

  • tftp—Specify the TFTP

  • traceroute—Specify the traceroute service.

  • webapi-clear-text—Specify the Webapi service using http.

  • webapi-ssl—Specify the Webapi service using HTTP secured by SSL.

  • xnm-clear-text—Specify the JUNOScript API for unencrypted traffic over TCP.

  • xnm-ssl—Specify the JUNOScript API Service over SSL.

Protocols

Select protocols from the list in the Available column and then click the right arrow to move it to the Selected column.

The available options are:

  • all—Specifies all protocol.

  • bfd—Bidirectional Forwarding Detection.

  • bgp—Border Gateway Protocol.

  • dvmrp—Distance Vector Multicast Routing Protocol.

  • igmp—Internet Group Management Protocol.

  • ldp—Label Distribution Protocol.

  • msdp—Multicast Source Discovery Protocol.

  • nhrp- Next Hop Resolution Protocol.

  • ospf—Open shortest path first.

  • ospf3—Open shortest path first version 3.

  • pgm—Pragmatic General Multicast.

  • pim—Protocol Independent Multicast.

  • rip—Routing Information Protocol.

  • ripng—Routing Information Protocol next generation.

  • router-discovery—Router Discovery.

  • rsvp—Resource Reservation Protocol.

  • sap—Session Announcement Protocol.

  • vrrp—Virtual Router Redundancy Protocol.

Table 4: Add Untrust Zone

Field

Action

General

Interface

Select an interface from the list.

Interface unit

Enter the interface unit value.

VLAN ID

Enter the VLAN ID.

Note:

VLAN ID is mandatory if the interface unit is higher than zero.

Description

Enter the description for the interface.

Address Mode

Select an address mode for the interface. The available options are DHCP Client, PPPoE (PAP), PPPoE (CHAP) and Static IP.

Note:

PPPoE (PAP) and PPPoE (CHAP) are not supported for SRX5000 Series Firwalls and if any of the devices are in passive mode.

Username

Enter a username for PPPoE (PAP) or PPPoE (CHAP) authentication.

Password

Enter a password for PPPoE (PAP) or PPPoE (CHAP) authentication.

IPv4
Note:

This option is available only for the Static IP address mode.

IPv4 Address

Enter a valid IPv4 address for the interface.

Subnet Mask

Enter a subnet mask for the IPv4 address.

IPv6
Note:

This option is available only for the Static IP address mode.

IPv6 Address

Enter a valid IPv6 address for the interface.

Subnet Prefix

Enter a subnet prefix for the IPv6 address.

Services & Protocols

System Services

Select system services from the list in the Available column and then click the right arrow to move it to the Selected column.

Protocols

Select protocols from the list in the Available column and then click the right arrow to move it to the Selected column.